{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.


That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.


Sorry about this, there is a problem with our search at the moment.
Please try again later.

The new trend in online sharing has been experiencing an explosion lately. Just yesterday, The New York Times did a story on the new ways that people are sharing their personal information online. But then today, it came out that one of those companies exposed some of its users' credit card numbers to Google search.

Oops! Online purchase sharing site Blippy just closed a $11.6 million round of funding. And it's a good thing it did, because the company is going to continue getting a lot of flack for this for a long time.

Blippy lets its users share their purchasing information with their friends. According to The New York Times:

"This is all part of one big trend: People are becoming more relaxed about privacy, having come to recognize that publicizing little pieces of information about themselves can result in serendipitous conversations — and little jolts of ego gratification."

But no one on the site expected to publicize their credit card numbers. Except that is what happened this week — or at least what was discovered this week.

Blippy has never published personal credit card information. But it is included in the information it does use, before the company scrapes it out to share less dangerous purchasing information among users. Several months ago, when Blippy was in public beta, this transaction data was part of the underlying code on Blippy's site. And it turned up in Google search results. Until today, when someone searched the terms "Blippy" and "from card" they were rewarded with credit card information from Blippy users.

Not all users were exposed. The credit card numbers shown belonged to only four Blippy beta users. Since coming out of beta, Blippy has cleaned up its code so Google cannot scrape this info from the site.

Blippy cofounder Philip Kaplan tells VentureBeat:

“While it looks super-scary and certainly sucks for those few people who were affected, and is embarrassing to us, it’s a lot less bad than it looks."

On the ratios, it is. Not even all of Blippy's beta users were affected. Four out of thousands is not a bad percentage. But it's not good. And the fact that this was available on Google for MONTHS is equally bad news for Blippy.

Like the rest of us, the company only found out about the breach today. And while it's completely possible that no one's credit card info was actually stolen, this incident underlines a growing issue online.

Tiny start-ups trying to create "serendipitous conversations" are now dealing with very sensitive information online. And while consumers are trusting that they will be careful with their information, that's not always possible.

Mostly because they're creating their business models as they go. And their code. There is a very large room for error that these companies are working with. Take for example event sharing company Hot Potato, which relaunched at SXSW and accidentally rebooted its database, sending out hundreds of repeat emails and deleting the histories of many of its users.

Many people are wary of sharing intimate information online because they are not sure how it will be handled. Count many big companies among them. Including Amazon, which blocked its users from sharing their purchasing history with Blippy last year. Blippy got around that hurdle, by requesting access to users' Gmail accounts, which they gladly handed over. They scraped users' Amazon purchases from their emails and put them up for other users to see.

Blippy gets around 125,000 visitors a month. That's nothing compared to Amazon's traffic. And while there is no indication that Amazon would have been affected by this recent security lapse, it is sure to scare off larger companies signing on to work with Blippy in the future. Errors like this — even if it only truly affected four people — serve as a reminder that the new social web is not as safe as many would like.

Images: Blippy, Mashable

Meghan Keane

Published 23 April, 2010 by Meghan Keane

Based in New York, Meghan Keane is US Editor of Econsultancy. You can follow her on Twitter: @keanesian.

721 more posts from this author

Comments (2)



This is one of the major risks associated with startups, and using the services of a startup. Many startups employ brilliant people and have extremely talented web developers building great applications and utilizing the latest technologies. Unfortunately, while all these “cool” things are being developed sometimes security, in particular, web application security, is an oversight.

Many startups don’t have the budgets and resources available to really secure web apps properly and check code against common threats and bad practices. Firewalls and network security aren’t the solution. Startups need to start realizing this, start paying more attention to how to secure their applications and their data, utilize encryption and also have a plan in the event of a data breach.

over 6 years ago



Mike is correct.  The fault is nothing that a bit of threat modelling and a risk assessment wouldn't have uncovered.

As for Kaplan's comments about "not as bad as it looks", I'm afraid he's wrong and it's worse than it looks.  Why do they have the card data in plain text anyway?  Where else has this data been published - logs, backups, reports, printouts, etc?

over 6 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.